Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

fix(msk): allow both sasl/scram and iam auth #31743

Open
wants to merge 8 commits into
base: main
Choose a base branch
from

Conversation

msambol
Copy link
Contributor

@msambol msambol commented Oct 14, 2024

Pointed out here and verified in the Console, both SASL/SCRAM and IAM can be enabled together.

Closes #32779

It's a little confusing because CloudFormation groups Iam and Scram together under Sasl,
but the Console separates the two and allows both at the same time. I'd like to refactor this further but
this change unblocks the issue where SASL/SCRAM and IAM cannot be enabled together.

image

@aws-cdk-automation aws-cdk-automation requested a review from a team October 14, 2024 05:09
@github-actions github-actions bot added distinguished-contributor [Pilot] contributed 50+ PRs to the CDK p2 labels Oct 14, 2024
Copy link
Collaborator

@aws-cdk-automation aws-cdk-automation left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The pull request linter has failed. See the aws-cdk-automation comment below for failure reasons. If you believe this pull request should receive an exemption, please comment and provide a justification.

A comment requesting an exemption should contain the text Exemption Request. Additionally, if clarification is needed add Clarification Request to a comment.

@@ -124,7 +124,7 @@ const cluster = new msk.Cluster(this, 'cluster', {
});
```

### SASL/IAM
### IAM
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Removing SASL here to avoid confusion.

@@ -422,6 +422,7 @@ exports[`MSK Cluster Snapshot test with all values set 1`] = `
"CertificateAuthorityArnList": [
"arn:aws:acm-pca:us-west-2:1234567890:certificate-authority/11111111-1111-1111-1111-111111111111",
],
"Enabled": true,
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Enabled was missing previously. See here.

@msambol msambol changed the title fix(msk): allow both scram and iam auth fix(msk): allow both sasl/scram and iam auth Oct 14, 2024
@aws-cdk-automation aws-cdk-automation dismissed their stale review October 14, 2024 07:50

✅ Updated pull request passes all PRLinter validations. Dismissing previous PRLinter review.

@aws-cdk-automation aws-cdk-automation added the pr/needs-community-review This PR needs a review from a Trusted Community Member or Core Team Member. label Oct 14, 2024
Copy link
Contributor

@nmussy nmussy left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM overall, just some missing regression tests and a style suggestion.

This is probably outside the scope of this PR, but it might be a good idea to expose Enabled if a user wants to set the props value but disable the feature. I'm just assuming here, but switching from Enabled: false to Enabled: true might be faster than updating CertificateAuthorityArnList for instance.

packages/@aws-cdk/aws-msk-alpha/test/cluster.test.ts Outdated Show resolved Hide resolved
},
},
});
});
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@nmussy I added some additional unit tests

testCases: [stack],
});

app.synth();
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@nmussy I created a new integration test that covers all 3 authentication types. The existing test is costly/timely to deploy 😓

@aws-cdk-automation aws-cdk-automation removed the pr/needs-community-review This PR needs a review from a Trusted Community Member or Core Team Member. label Oct 14, 2024
@msambol
Copy link
Contributor Author

msambol commented Oct 14, 2024

This is probably outside the scope of this PR, but it might be a good idea to expose Enabled if a user wants to set the props value but disable the feature. I'm just assuming here, but switching from Enabled: false to Enabled: true might be faster than updating CertificateAuthorityArnList for instance.

Agree on adding that, perhaps in a follow-on PR. I also think Iam should be decoupled from the SaslProps.

@aws-cdk-automation
Copy link
Collaborator

This PR has been in the MERGE CONFLICTS state for 3 weeks, and looks abandoned. To keep this PR from being closed, please continue work on it. If not, it will automatically be closed in a week.

Copy link

codecov bot commented Dec 22, 2024

Codecov Report

All modified and coverable lines are covered by tests ✅

Project coverage is 81.40%. Comparing base (1d7d1fc) to head (010d164).

Additional details and impacted files
@@           Coverage Diff           @@
##             main   #31743   +/-   ##
=======================================
  Coverage   81.40%   81.40%           
=======================================
  Files         223      223           
  Lines       13727    13727           
  Branches     2411     2411           
=======================================
  Hits        11175    11175           
  Misses       2274     2274           
  Partials      278      278           
Flag Coverage Δ
suite.unit 81.40% <ø> (ø)

Flags with carried forward coverage won't be shown. Click here to find out more.

Components Coverage Δ
packages/aws-cdk 80.74% <ø> (ø)
packages/aws-cdk-lib/core 82.10% <ø> (ø)

@github-actions github-actions bot added bug This issue is a bug. effort/small Small work item – less than a day of effort labels Jan 9, 2025
@aws-cdk-automation
Copy link
Collaborator

This PR has been in the MERGE CONFLICTS state for 3 weeks, and looks abandoned. To keep this PR from being closed, please continue work on it. If not, it will automatically be closed in a week.

@aws-cdk-automation
Copy link
Collaborator

AWS CodeBuild CI Report

  • CodeBuild project: AutoBuildv2Project1C6BFA3F-wQm2hXv2jqQv
  • Commit ID: 010d164
  • Result: SUCCEEDED
  • Build Logs (available for 30 days)

Powered by github-codebuild-logs, available on the AWS Serverless Application Repository

Copy link
Contributor

@nmussy nmussy left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM thanks for the changes 👍

@aws-cdk-automation aws-cdk-automation added the pr/needs-maintainer-review This PR needs a review from a Core Team Member label Jan 16, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
bug This issue is a bug. distinguished-contributor [Pilot] contributed 50+ PRs to the CDK effort/small Small work item – less than a day of effort p2 pr/needs-maintainer-review This PR needs a review from a Core Team Member
Projects
None yet
Development

Successfully merging this pull request may close these issues.

aws-msk-alpha: Cluster enforces incorrect authentication constraint
3 participants